Method for secure data exchange between two devices

ABSTRACT

This invention concerns a safe data exchange method between two devices locally connected to one another. In a preferred embodiment, the first device is a security module containing a first encrypting key, said private key of a pair of asymmetric encrypting keys. The second device is a receiver comprising at least one second encrypting key, said public key of said pair of asymmetric encrypting keys. Furthermore each of the devices comprises a symmetrical key. The first device generates a first random number, which is encrypted by said private key, then transmitted to the second device, in which it is decrypted by means of the public key. The second device generates a second random number, which is encrypted by said public key, then transmitted to the first device, in which it is decrypted by means of the private key. A session key, used for safe data exchange, is generated by a combination of the symmetric key and the random numbers generated and received by each of the devices.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of and claims priority under 35U.S.C. §§120/121 to U.S. patent application Ser. No. 10/517,428, filedon Dec. 10, 2004, which is a National Stage of International ApplicationNo. PCT/IB03/02425, filed on Jun. 10, 2003, and claims the benefit ofSwiss Patent Application No. 1002/02, filed on Jun. 12, 2002. Thedisclosures of each of the above applications are incorporated herein byreference.

DESCRIPTION

This invention concerns a safe data exchange method between two deviceslocally connected to each other, especially between a receiver and asecurity module.

It also concerns a receiver designed for implementing the methodaccording to the invention.

Currently safe methods exist allowing data to be exchanged between twodevices such as a receiver and a security module, for example in thedomain of pay-TV.

Such a method is especially described in the international patentapplication published under No. WO 97/38530. According to this method,the receiver contains a public asymmetric encrypting key and thesecurity module contains the corresponding private asymmetric encryptingkey. At the time of initialising the method, that is to say for examplewhen the security module is inserted into the receiver, the receivergenerates a random number A and a random key Ci. The two random elementsare encrypted by the receiver's public key, and are then sent, to thesecurity module in the encrypted form.

The random number and the random key are then decrypted by means of theprivate key.

According to a particular embodiment, the random number A, decrypted bythe private key, can then be encrypted in the security module by meansof the random key Ci, and transferred to the receiver, then decrypted inthe receiver by means of the same initially generated random key. Therandom number A′ obtained at this stage is compared to A, the onegenerated by the receiver in order to verify that the security modulecorresponds well to the one which must be used with the receiver. Whenanother security module is used with this receiver, the two randomnumbers A and A′ will not correspond and the communication isinterrupted. If the security module and the receiver are recognized asbeing able to exchange data with each other, the random key Ci is usedas a session key, that is to say that all the data exchanged in the safeform between the security module and the receiver during a givensession, for example till the security module is withdrawn, is encryptedby means of this random key.

This form of execution presents drawbacks regarding security. In fact,the receiver is not considered to be a reliable element, unlike thesecurity module and it is possible to determine the public key of areceiver thanks to technical means and computer analysis. It istherefore possible to modify a receiver in such a way that it generatesa predetermined key in place of a random key Ci.

In this case, the verification of the communication with the securitymodule will be carried out with a predetermined key.

In this way, the “random” key Ci being known, the messages can bedecrypted and, in the case of pay-TV in particular, the data necessaryfor the system to work, especially the <<Control Words>> can bedecrypted and made available to third parties, for example using annetwork such as Internet. It should be noted that the random key Ci is asymmetrical key.

When it is known, either because it has been predefined, or because ithas been obtained in another way, it can be used to decipher messagesoriginating from the receiver and those coming from the security moduleat the same time.

This invention proposes avoiding this drawback by offering a process ofsafe data transfer between a receiver and a security module thanks towhich the decrypting of unauthorized data is particularly complex.

This aim is achieved by a safe data exchange method between two deviceslocally connected to each other, especially between a security moduleand a receiver, the first device comprising at least one firstencrypting key of a pair of asymmetric encrypting keys and the seconddevice comprising at least one second encrypting key of said pair ofasymmetric encrypting keys, these keys being previously initialised inthe first and second device, this method including the steps consistingof:

generating, at least one first random number in the first device,

generating, at least one second random number in the second device,

encrypting said first random number by said first encrypting key,

encrypting said second random number by said second encrypting key,

transmitting said first random number encrypted to the second device,

transmitting said second random number encrypted to the first device,

decrypting, in said second device, the first encrypted random number,

decrypting, in said first device, the second encrypted random number,

combining said random numbers generated by one of the devices andreceived by the other device to generate a session key,

and using the session key to encrypt all or part of the exchanged databetween the first and second device.

This invention and its advantages will be better understood withreference to different particular embodiments of the invention and toattached drawings, in which:

FIG. 1 represents a first embodiment of this invention,

FIG. 2 shows a second embodiment of the invention,

FIG. 3 schematically shows a kind of number structure such as that usedin the method according to the invention, and

FIG. 4 represents a third embodiment of this invention.

With reference to these figures, reference 10 schematically represents,a security module and reference 11, a receiver.

The security module 10 and the receiver 11 are jointly denominated thedevices in the rest of the text. As the expert knows, the securitymodule 10 can especially be in the form of a microchip card or a modulecontaining a chip such as a connector known by the denomination<<dongle>>. It is clear that other embodiments could be imagined withoutleaving the scope of this invention.

This security module 10 contains a private asymmetric key PAKV of a pairof asymmetric keys. This key can be introduced into the security module10 for example at the time the module is manufactured or at a furtherstage, in a managing data centre or thanks to a secure connectionbetween said managing centre and the security module. It is stored in anon-volatile memory of the module.

The receiver 11, in particular in the case of paying TV, is generallyformed by a box connected to the television set. It contains a publicasymmetric key PAKB coming from said pair of asymmetric keys. Thispublic key is thus matched to the private key of the security module.The public key is generally programmed at the manufacture of thereceiver or during an initialisation phase in a protected environment.It can also be safely remotely loaded by broadcasting.

In the domain of pay-TV especially, it is desirable that only onereceiver operates with only one security module. This allows avoidingthat rights loaded in a security module belonging to a given owner beused in several receivers belonging to other owners. For this reason,the security module and the receiver are matched in such a way that onlyone security module can only function with only one receiver andconversely. This matching is done thanks to the pair of asymmetric keysof which one is loaded in the security module and of which the other isloaded in the receiver. In principle, the pairs of asymmetric keys areunique. However, in practice, when the users' number is very high, it ispossible to attribute the same pair of keys several times, keeping verylow the possibility that rights are exchanged. This risk can be set tozero by using a unique supplementary symmetric key, as is explainedbelow referring to FIG. 4.

In the embodiment disclosed in FIG. 1, the process of the inventiontakes place in the following way: when a communication between the twodevices, namely the security module 10 and the receiver 11 is initiated,the security module first of all generates a random number A. This isrepresented surrounded by a circle in FIG. 1. This random number isencrypted in the security module 10 by the private key PAKV, in such away as to obtain a random encrypted number A′ (A′=PAKV(A)). This istransmitted to the receiver 11. The random number encrypted A′ isdecrypted in the receiver by means of the public key PAKB, which allowsone to obtain the initial random number A.

Inversely, the receiver 11 generates a random number B, representedsurrounded by a circle in FIG. 1. This random number B is encrypted inthe receiver using the public key PAKB. One obtains thus a randomencrypted number B′ (B′=PAKB(B)), which is transmitted to the securitymodule 10. The random number encrypted B′ is decrypted in the securitymodule by means of the private key PAKV, which allows to obtain theinitial random number B.

In this way, either the security module or the receiver dispose ofrandom number A generated by the security module and random number Bgenerated by the receiver. These two random numbers are combined in sucha way as to generate new random number, which will be used, in a firstembodiment as a session key SK. The combination can be carried out by asimple concatenation of two numbers, by a function OR EXCLUSIVE or byevery other suitable combination.

The session key SK thus generated is used for all the securitycommunications between the security module and the receiver.

This embodiment offers great security to the user since it is reputed tobe impossible to know the private key contained in the security module.If it is possible to impose a determined number in place of the randomnumber B in the receiver, however it is not possible to impose a randomnumber A in the security module.

In a similar way, by sophisticated technical means, one can determinethe public key PAKB, but one cannot deduce the private key PAKV.Therefore, the fact that each of the devices generates a random numberand that these numbers are encrypted with asymmetric keys, preventsdeceiving the device by imposing the keys and the random numbers.

In the embodiment according to FIG. 2, as in that of FIG. 1, a randomnumber is generated by each of the devices. It is encrypted by thecorresponding key and transmitted to the other device in the encryptedform.

The random number A received by the receiver 11 is then encrypted again,this time by the public key PAKB of the receiver, in such a way as toobtain a new encrypted number A″ (A″=PAKB(A)) which is sent to thesecurity module 10.

It is decrypted there thanks to the private key PAKV. If the privatekeys PAKV and the public keys PAKB used respectively in the securitymodule 10 and in the receiver 11 are matched, number A thus obtained isidentical to random number A of origin generated by the security module.As described referring to FIG. 2, the method has a comparison stage 12between the random number A coming from the decrypting of number A″encrypted in the receiver 11 and random number A generated by thesecurity module 10. If these numbers are not identical, one can deducethat the security module is not matched to the receiver and that thecommunications or the data transfers must be interrupted. This canhappen for example when a security module is introduced in a receiverdifferent to that for which it has been matched or when a securitymodule is simulated for example by means of a computer.

Similarly, random number B received by the security module 10 is alsoencrypted by the private key PAKV of this module, in such a way as toobtain a encrypted number B″ (B″=(PAKV(B)).

This is sent to the receiver 11, in which it is decrypted by means ofthe public key PAKB. Thus a random number B is obtained which iscompared to the random number B of origin generated by the receiver 11.As previously, the two random numbers are compared in a comparison stage12. If these two random numbers are not identical, the communication isinterrupted.

If the comparison of the random numbers gives a positive result, that isto say if the security module 10 and the receiver 11 are matched, asession key SK is generated by using a combination of the random numbersA and B. This session key is used for further security communicationsbetween the security module and the receiver.

This embodiment presents the advantage that the random numbers beforeand after encrypting are compared by both the security module 10 and thereceiver 11. In this way, even if a third person appropriates the publickey of the receiver, these cannot be used to decrypt the exchangedmessages between the security module and the receiver. Likewise, if asecurity module is used on a receiver for which it is not anticipated,the data will not be able to be decrypted.

In the method according to FIG. 3, to the random number as previouslydescribed is added, for example the random number A as describedreferring to FIGS. 1 and 2, two parts b and c each having a built-infunction. b is a random number generated in the security module 10. c isa fixed preset number, called “pattern”, which is memorized in thesecurity module 10 and in the receiver 11. This pattern can for examplebe formed from a sequence of 0 and 1 alternated.

According to a first embodiment, the three elements, namely the randomnumber A, the random number b and the pattern c are encrypted by meansof the private key PAKV. One obtains thus a number A− such that A−=PAKV(A, b, c). This number A− is transmitted to the receiver 11, in which itis decrypted by means of the public key PAKB. This decrypting mustresult in the three numbers A, b and c if the security module 10 and thereceiver 11 are matched. As number c has a preset known value, thereceiver can easily carry out a verification of this value. For thatpurpose, the receiver carries out a comparison between the value of cmemorized in the receiver and that obtained after decrypting. If thesetwo values are not identical, the data exchange with the security moduleis stopped.

Random number b is sent back to the security module 10 for verification.Because of this, first of all it is encrypted in the receiver 11 bymeans of the public key PAKB, which gives the number b″ (b″=PAKB(b)).This number b″ is then sent to the security module 10 in which it isdecrypted thanks to the private key PAKV. The number thus decrypted iscompared to the initial number b and the data exchange is interrupted ifthese two numbers are not identical.

According to a second embodiment, the three elements, namely the randomnumber A, the random number b and the pattern are separately encryptedin the security module 10 by means of the private key PAKV.

One then obtains three encrypted numbers. At the time of decrypting, ifthe security module and the receiver are matched, one obtains the randomnumbers A and b, as well as the pattern c, as previously.

The session key SK is formed from a combination according to a knownrule, random number A generated by the security module 10, random numberB generated by the receiver and possibly random number b generated bythe security module and/or pattern c.

As all these elements are known either by the security module 10 or bythe receiver 11, the session key can be formed.

This embodiment is advantageous to different points of view.

On the one hand, it allows one to carry out a first verification of thematching of the security module 10 and of the receiver 11 thanks topattern c, using a unidirectional communication between the two devices.When the devices are not matched, it is desirable to carry out as fewdata exchanges as possible, which is done thanks to the verification ofthe contents of pattern c.

On the other hand, by sending the random number b back, it is possibleto verify the matching between these two devices, certainly andreliably, without however transmitting the random number A twice. Thisimproves the security of the data exchanges even more since oneminimises the quantity of confidential data that are exchanged betweenthe two devices.

It should be noted that one can also add only a pattern c to the randomnumber A. The verification of the matching between the two devices isonly done when there is pattern c. In a similar way, one can also addonly another random number b, without pattern c to the random number A,the verification being made in the security module 10, on the randomnumber b.

In the embodiment disclosed in FIG. 4, the first steps of the methodtake place in the same way as in the one disclosed in FIG. 2. Randomnumbers A and B are generated respectively by the security module 10 andby the receiver 11. They are exchanged and verified in such a way thatassures that the security module 10 and the receiver 11 are wellmatched. In this embodiment, the security module and the receiverdispose furthermore of a symmetric key PHK, carrying the reference 13.The random numbers A and B are not simply combined to each other toobtain a session key SK, as in the embodiment of FIG. 2, but they arealso combined with the symmetric key 13. The combination of these threeelements can be done as previously, by concatenation or by every othersuitable function. According to a particular form of the invention, thesession key SK is formed by encrypting the two concatenated numbers Aand B (SK=PHK (A, B)) with the symmetrical key 13.

This presents the advantage of making the unauthorized decrypting ofmessages more difficult and obliges one to dispose of all the keys to beable to obtain a usable piece of information. The security of the deviceis thus still reinforced. This embodiment is also advantageous becauseit is relatively long and difficult to generate a very large quantity ofpairs of different asymmetric keys. For simplification, faced with avery large number of users, it is desirable to assign the same pair ofkeys to several couples of security module/receiver.

On the other hand, the symmetrical key is unique. So, using asymmetrical key in other keys, it is possible to guarantee that asecurity module is only usable with the corresponding receiver.

It is possible to memorize the session key generated for example duringthe first use of the device and to always use this key.

However, for security reasons, it is advisable to generate a new keyevery time a new session is begun, a session being defined as the periodseparating the start and the finish of the data exchanges between thetwo devices. In order to increase the communications' security evenmore, it is even possible to change the key according to chosenintervals, for example regular ones or according to a defined algorithm,during a same session, for example every two hours. So, all the datathat could have been obtained without authorisation can no longer beused after this maximum validity duration of the session key.

According to a particular embodiment of the invention, one can use a“smart” security module or similar means, which allow one to measuredifferent physical parameters, such as especially line impedance orelectric consumption. The value of this or of these parameters iscompared, at regular intervals, to a reference value. When one notices adifference, beyond a tolerance level, between these compared values, onecan deduce that an unidentical reading risk exists of data on thesystem. In this case, one can, although it will not be a preferredsolution, cut the whole data exchange between the receiver and thesecurity module. A preferred solution consists of sending a request tothe receiver, asking the generation for a new session key. The dataexchange is blocked if the receiver does not comply. This allows one toobtain a dynamic system in which every access attempt to confidentialdata is watched. The measurement of the physical parameters can also beimplanted in the receiver.

As is known by the expert, a receiver for pay-TV essentially includes aprocessing unit, a read-only memory, a demultiplexer, a descrambler, adigital/analogical converter, an external memory and a sound and imagedescrambler. In the present systems, the processing unit, the read-onlymemory and the descrambler can be contained in a same electronic chip.In the systems of the prior art, the public key PAKB is generallycontained in the external memory. This one is accessible; thereby it ispossible to read or to modify its contents, which can create risk ofreading unauthorized data.

In order to minimise this risk, the public key PAKB and/or thesymmetrical key 13 can advantageously be stored either in the read-onlymemory, or in the descrambler. This greatly increases security, because,to modify one of the keys, it is indispensable to change the electronicchip, which is not very interesting from an economical point of view andwhich implies that one can provide counterfeit chips. The security ofthe communications is thus particularly effective.

It should be noted that, in the description that follows, the keycarrying the reference 13 in FIG. 4 is described as being a symmetrickey. It is however also possible to use a pair of asymmetric keys inplace of this symmetric key. In this case, one uses two pairs ofasymmetric keys. One of the pairs of keys can be common for a users'group and the other can be unique. The two pairs can also be unique.

In the description of the examples above, the first device correspondsto the security module and the second device corresponds to thereceiver. It is clear that the method according to the inventionoperates in the same way if the first device is the receiver and thesecond device is the security module.

What is claimed is:
 1. Data exchange method between two devices locallyconnected to one another, a first device of the two devices being asecurity module and a second device of the two devices being a receiver,the first device comprising at least one first encrypting key of a pairof asymmetric keys and the second device comprising at least the secondencrypting key of said pair of asymmetric keys, this method comprising:generating, at least one first random number in the first device,generating, at least one second random number in the second device,encrypting said first random number by said first encrypting key, thefirst encrypting key initialized in the first device during aninitialization phase of the first device in a first protectedenvironment, encrypting said second random number by said secondencrypting key, the second encrypting key initialized in the seconddevice during an initialization phase of the second device in a secondprotected environment, transmitting said first encrypted random numberto the second device, transmitting said second encrypted random numberto the first device, ecrypting the first encrypted random number in saidsecond device, ecrypting the second encrypted random number in saidfirst device, combining said random numbers generated by one of thedevices and received by the other device to generate a session key, andusing the session key to encrypt and decrypt all or part of theexchanged data between the first and second device.
 2. Data exchangemethod according to claim 1, wherein the first encrypted random number,transmitted to the second device and decrypted by the second device isencrypted by said second device by means of said second encrypting key,transmitted in an encrypted form to said first device, ecrypted in thefirst device by means of the first encrypting key and compared to saidfirst random number previously generated by the first device, andwherein a data transfer between the first and second devices is stoppedif the compared random numbers are not identical.
 3. Data exchangemethod according to claim 1, wherein the second random number,transmitted to the first device and decrypted in the first device isencrypted by said first device by means of said first encrypting key,transmitted in an encrypted form to said second device, ecrypted in thesecond device by means of the second encrypting key and compared to saidsecond random number previously generated by the second device, andwherein a data transfer between the first and second devices is stoppedif the compared random numbers are not identical.
 4. Data exchangemethod according to claim 1, in which said first device and said seconddevice contain a symmetric encrypting key, wherein the random numbersare combined with said symmetric key to generate the session key. 5.Data exchange method according to claim 1, wherein the combination ofsaid random numbers is a concatenation.
 6. Data exchange methodaccording to claim 4, wherein the combination of said random numbers isa concatenation.
 7. Data exchange method according to claim 1, whereinthe session key is regenerated in function of a determined parameter ofuse.
 8. Data exchange method according to claim 7, wherein thedetermined parameter of use is the duration of use.
 9. Data exchangemethod according to claim 1, wherein at least one of the two devicesmeasures at least one representative physical parameter of thecommunication, such as the line impedance and/or the electricconsumption, wherein at least one of the two devices compares the valuesmeasured to the reference values, and wherein at least one of the twodevices acts on the data exchange when the measured parameters differfrom the reference values more than a threshold value.
 10. Data exchangemethod according to claim 9, wherein at least one of the two devicesacts by stopping the data exchange between the two devices.
 11. Dataexchange method according to claim 9, wherein the session key isregenerated in function of a determined parameter of use and wherein thedetermined parameter of use is the representative physical parameter ofthe communication.
 12. Data exchange method according to claim 1,wherein at least one of the devices generates at least one supplementaryrandom number, this supplementary random number is encrypted by saidfirst encrypting key, this supplementary encrypted random number istransmitted to the second device, this transmitted encryptedsupplementary random number is decrypted in this second device, thedecrypted supplementary random number is encrypted by said secondencrypting key, the supplementary encrypted random number is transmittedto the first device, the supplementary random number decrypted in thefirst device is compared to the initial supplementary random numbergenerated in said first device, the information exchange is interruptedif the comparison indicates that the two compared numbers are notidentical.
 13. Data exchange method according to claim 1, wherein atleast one of the devices determines at least one predefined fixed numbermemorized in the two devices, this predefined fixed number is encryptedby said first encrypting key, this predefined fixed encrypted number istransmitted to the second device, this transmitted encrypted predefinedfixed number is decrypted in this second device, the predefined fixednumber decrypted in the second device is compared to the predefinedfixed number memorized in this second device, the data exchange isinterrupted if the comparison indicates that the two compared numbersare not identical.
 14. Data exchange method according to claim 12,wherein each of the numbers is encrypted separately.
 15. Data exchangemethod according to claim 13, wherein each of the numbers is encryptedseparately.
 16. Data exchange method according to claim 12, wherein acombination of each of the numbers is encrypted.
 17. Data exchangemethod according to claim 13, wherein a combination of each of thenumbers is encrypted.
 18. Receiver for carrying out the method accordingto claim 1, this receiver comprising at least one calculation unit, aread-only memory, a demultiplexer, a descrambler, a digital/analogconverter, an external memory and a sound and image descrambler, whereinat least the calculation unit, the read-only memory and the descramblerare contained in a same electronic chip and wherein at least one of theencrypting keys is stored in said electronic chip.
 19. Receiveraccording to claim 18, wherein at least one of the numbers is stored insaid electronic chip.
 20. A data exchange method between a securitymodule locally connected to a receiver, the security module including afirst encrypting key of a pair of asymmetric keys and the receiverincluding a second encrypting key of said pair of asymmetric keys, themethod comprising: generating, at least one first random number in thesecurity module, generating, at least one second random number in thereceiver, encrypting said first random number by said first encryptingkey, the first encrypting key initialized in the security module duringan initialization phase of the security module in a first protectedenvironment, encrypting said second random number by said secondencrypting key, the second encrypting key initialized in the receiverduring an initialization phase of the receiver in a second protectedenvironment, transmitting said encrypted first random number to thereceiver, transmitting said encrypted second random number to thesecurity module, decrypting the encrypted first random number in thereceiver, decrypting the encrypted second random number in the securitymodule, combining the decrypted second random number with the firstrandom number generated in the security module, and combining thedecrypted first random number with the second random number generated inthe receiver, said combinations generating a session key in the securitymodule and the receiver, and using the session key to encrypt anddecrypt at least a portion of data exchanged between the security moduleand receiver, wherein the encrypted first random number, transmitted tothe receiver and decrypted by the receiver, is encrypted by the receiverusing the second encrypting key, transmitted in an encrypted form to thesecurity module, decrypted in the security module using the firstencrypting key, and compared with the first random number previouslygenerated in the security module, and a data transfer between thesecurity module and the receiver is stopped if the compared randomnumbers are not identical.